Malware Analysis Report

2025-08-06 04:05

Sample ID 240122-aarvbscfh6
Target 6e2ee4f2fb68cc5169594dc840eaa398
SHA256 121a71d2d2e648797d46e361bc5c6d9a791f768ae9296d7152f055373f318742
Tags
metasploit backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

121a71d2d2e648797d46e361bc5c6d9a791f768ae9296d7152f055373f318742

Threat Level: Known bad

The file 6e2ee4f2fb68cc5169594dc840eaa398 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan upx

MetaSploit

Modifies security service

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

UPX packed file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Runs .reg file with regedit

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 00:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 00:00

Reported

2024-01-22 00:03

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3236 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
PID 3236 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
PID 3236 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
PID 4372 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
PID 4372 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
PID 4372 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
PID 1864 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1404 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1404 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1864 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\logs.exe
PID 1864 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\logs.exe
PID 1864 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\logs.exe
PID 1368 wrote to memory of 968 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 968 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 968 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
PID 4372 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
PID 4372 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
PID 1368 wrote to memory of 1672 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 1368 wrote to memory of 1672 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 1368 wrote to memory of 1672 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 1672 wrote to memory of 2664 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 2664 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 2664 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2664 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2664 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1672 wrote to memory of 1404 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 1672 wrote to memory of 1404 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 1672 wrote to memory of 1404 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 1404 wrote to memory of 3120 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3120 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3120 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3120 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3120 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1404 wrote to memory of 3612 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 1404 wrote to memory of 3612 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 1404 wrote to memory of 3612 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 3612 wrote to memory of 4940 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 4940 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 4940 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4940 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4940 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3612 wrote to memory of 644 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 3612 wrote to memory of 644 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 3612 wrote to memory of 644 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 644 wrote to memory of 1128 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1128 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1128 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1128 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1128 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 644 wrote to memory of 4716 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 644 wrote to memory of 4716 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 644 wrote to memory of 4716 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 4716 wrote to memory of 3780 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 3780 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 3780 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe

"C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe"

C:\Users\Admin\AppData\Local\Temp\Decrypted.exe

"C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"

C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe

C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1016 "C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe

C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1168 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1148 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1144 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1152 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1156 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1160 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1164 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1172 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 1176 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3236-0-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Decrypted.exe

MD5 0e246fd1dd8235f942b32e8dac657676
SHA1 e4c39e659db089023912e77b1b60c8a9ab162266
SHA256 75c1c8a97b399166ad4c8a30d62907730a271400e9e0b5e626f9f5efb049fed7
SHA512 58af1131ef7f95e9d19adedbf37e108f3047e03b35733be561adbb18a055ae114e6eb1cd7ad2acce8c1a6138d1ec96c9b2b6af093e03d6bfa4d9c70da9828c7b

memory/4372-13-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3236-16-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe

MD5 70cf71444e9d625943bb92f2229d1a3b
SHA1 ba1e719ae5f659b2e20ef9e855456eecd677d051
SHA256 0cdd4095dd78bfbf009d553190e5b46274cd63d4b7d333106c810134d90abcea
SHA512 372be4f83eb5ae17152004131ce7ec6e71b0c6ffbf2221162c86c5cee2753f02b5882617ed75ba87af70eed93f2a7dda0700ecbeafd30ab1cacb286f479ae1ee

\??\c:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c1e5f93e2bee9ca33872764d8889de23
SHA1 167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA256 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2e2266221550edce9a27c9060d5c2361
SHA1 f39f2d8f02f8b3a877d5969a81c4cb12679609f3
SHA256 e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb
SHA512 e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1c6131354c6987300ea512b765475b82
SHA1 2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53
SHA256 3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640
SHA512 b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5e073629d751540b3512a229a7c56baf
SHA1 8d384f06bf3fe00d178514990ae39fc54d4e3941
SHA256 2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e
SHA512 84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/3736-144-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe

MD5 49808f66424aec571b9d5025f36409dd
SHA1 38db0a611bd7d7d8aceb116fbca88768e15551d7
SHA256 8dc78feef0cb0f76d179ddb6ab0eb9ed8f9267df4c0d6d0ea74dc27fc2ccf821
SHA512 da67632a16ca5354dcc4e63c8884109513a4e4d6b4b7d57e376443ed5a93fa574226c80a5738f76b4884a88cf822bfa74433e0fbea9dc3833ddf9a5ad687a099

memory/4372-147-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3736-148-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6dd7ad95427e77ae09861afd77104775
SHA1 81c2ffe8c63e71f013a07e5794473b60f50c0716
SHA256 8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2
SHA512 171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f708dcfd087b5b3763678cfb8d63735e
SHA1 a38fa7fa516c1402762425176ff1b607db36c752
SHA256 abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10
SHA512 fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1a00c84e2e8a76c3caa6c0b89f9f0d6d
SHA1 2650e962d49c5800edb569ee1b989edc8868d9b9
SHA256 f477217e9368c8114de7621c41a01818957dae31140ffd7df2b39705c72543e6
SHA512 a5f2f271184ff3bad04dd2135e7d32ca32c2ad24400832ec8a143dcbc20449ede4e06b48479ba93609cb1caf0b41a9143698eafb07b032ebdd609e399d62288c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 584f47a0068747b3295751a0d591f4ee
SHA1 7886a90e507c56d3a6105ecdfd9ff77939afa56f
SHA256 927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5
SHA512 ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5bf31d7ea99b678c867ccdec344298aa
SHA1 2e548f54bf50d13993105c4f59bbeaeb87b17a68
SHA256 52be521b5509b444c0369ea7e69fc06b2d0b770cf600386c9a0178225ccdd281
SHA512 1bc82b65efe8c2be419748c8534210e7ad8cc8332ef87fb5df828eaebfdf630066ab3ad8d3ceeb82dee5ec4e680daff2748fcd4beaad8c71f1477b2ec7fe3564

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5855edf3afa67e11de78af0389880d18
SHA1 c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f
SHA256 c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa
SHA512 5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 752fd85212d47da8f0adc29004a573b2
SHA1 fa8fe3ff766601db46412879dc13dbec8d055965
SHA256 9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e
SHA512 d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 872656500ddac1ddd91d10aba3a8df96
SHA1 ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256 d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512 e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d8be0d42e512d922804552250f01eb90
SHA1 cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512 f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 fadf3805f68986d2ee9c82f560a564e4
SHA1 87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6
SHA256 d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759
SHA512 e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5b77620cb52220f4a82e3551ee0a53a6
SHA1 07d122b8e70ec5887bad4ef8f4d6209df18912d0
SHA256 93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579
SHA512 9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2d9f1ff716273d19e3f0d10a3cd8736f
SHA1 b4ca02834dd3f3489c5088d2157279d2be90f5ff
SHA256 9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623
SHA512 1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2299014e9ce921b7045e958d39d83e74
SHA1 26ed64f84417eb05d1d9d48441342ca1363084da
SHA256 ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57
SHA512 0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8c6aa92ac8ffdfb7a0fb3dafd14d65f1
SHA1 cac3992d696a99a5dec2ab1c824c816117414b16
SHA256 dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa
SHA512 f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 159bb1d34a927f58fc851798c7c09b58
SHA1 c3a26565004531f3a93e29eabb0f9a196b4c1ba2
SHA256 53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd
SHA512 b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e427a32326a6a806e7b7b4fdbbe0ed4c
SHA1 b10626953332aeb7c524f2a29f47ca8b0bee38b1
SHA256 b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839
SHA512 6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b79d7c7385eb2936ecd5681762227a9b
SHA1 c2a21fb49bd3cc8be9baac1bf6f6389453ad785d
SHA256 fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019
SHA512 7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 00:00

Reported

2024-01-22 00:03

Platform

win7-20231215-en

Max time kernel

139s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\logs.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File created C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A
File opened for modification C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
PID 2432 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
PID 2432 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
PID 2432 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
PID 2260 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
PID 2260 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
PID 2260 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
PID 2260 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe
PID 2660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2696 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2696 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2696 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2660 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\logs.exe
PID 2660 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\logs.exe
PID 2660 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\logs.exe
PID 2660 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe C:\Windows\SysWOW64\logs.exe
PID 2508 wrote to memory of 2028 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2028 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2028 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2028 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
PID 2260 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
PID 2260 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
PID 2260 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\Decrypted.exe C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe
PID 2508 wrote to memory of 2116 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 2508 wrote to memory of 2116 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 2508 wrote to memory of 2116 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 2508 wrote to memory of 2116 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 2116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2500 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2500 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2500 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2116 wrote to memory of 3000 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 2116 wrote to memory of 3000 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 2116 wrote to memory of 3000 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 2116 wrote to memory of 3000 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 3000 wrote to memory of 1612 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1612 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1612 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1612 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1612 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1612 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1612 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3000 wrote to memory of 2716 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 3000 wrote to memory of 2716 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 3000 wrote to memory of 2716 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 3000 wrote to memory of 2716 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\logs.exe
PID 2716 wrote to memory of 2896 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2896 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2896 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2896 N/A C:\Windows\SysWOW64\logs.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2896 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2896 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2896 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe

"C:\Users\Admin\AppData\Local\Temp\6e2ee4f2fb68cc5169594dc840eaa398.exe"

C:\Users\Admin\AppData\Local\Temp\Decrypted.exe

"C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"

C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe

C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 492 "C:\Users\Admin\AppData\Local\Temp\tmpfile678.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe

C:\Users\Admin\AppData\Local\Temp\tmpfile679.exe

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 536 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 540 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 548 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 544 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 552 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 556 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 560 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 564 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\logs.exe

C:\Windows\system32\logs.exe 568 "C:\Windows\SysWOW64\logs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2432-0-0x0000000000400000-0x0000000000405000-memory.dmp

\Users\Admin\AppData\Local\Temp\Decrypted.exe

MD5 0e246fd1dd8235f942b32e8dac657676
SHA1 e4c39e659db089023912e77b1b60c8a9ab162266
SHA256 75c1c8a97b399166ad4c8a30d62907730a271400e9e0b5e626f9f5efb049fed7
SHA512 58af1131ef7f95e9d19adedbf37e108f3047e03b35733be561adbb18a055ae114e6eb1cd7ad2acce8c1a6138d1ec96c9b2b6af093e03d6bfa4d9c70da9828c7b

memory/2260-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2432-15-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2432-12-0x00000000003F0000-0x00000000003F9000-memory.dmp

memory/2432-6-0x00000000003F0000-0x00000000003F9000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmpfile678.exe

MD5 70cf71444e9d625943bb92f2229d1a3b
SHA1 ba1e719ae5f659b2e20ef9e855456eecd677d051
SHA256 0cdd4095dd78bfbf009d553190e5b46274cd63d4b7d333106c810134d90abcea
SHA512 372be4f83eb5ae17152004131ce7ec6e71b0c6ffbf2221162c86c5cee2753f02b5882617ed75ba87af70eed93f2a7dda0700ecbeafd30ab1cacb286f479ae1ee

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c6b0028a6f5508ef564d624eda0e72bc
SHA1 18901c9856a9af672c2e27383c15d2da41f27b6b
SHA256 b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06
SHA512 5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5aa228bc61037ddaf7a22dab4a04e9a1
SHA1 b50fcd8f643ea748f989a06e38c778884b3c19f2
SHA256 65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b
SHA512 2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/2260-169-0x0000000000320000-0x0000000000325000-memory.dmp

memory/2260-171-0x0000000000320000-0x0000000000325000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmpfile679.exe

MD5 49808f66424aec571b9d5025f36409dd
SHA1 38db0a611bd7d7d8aceb116fbca88768e15551d7
SHA256 8dc78feef0cb0f76d179ddb6ab0eb9ed8f9267df4c0d6d0ea74dc27fc2ccf821
SHA512 da67632a16ca5354dcc4e63c8884109513a4e4d6b4b7d57e376443ed5a93fa574226c80a5738f76b4884a88cf822bfa74433e0fbea9dc3833ddf9a5ad687a099

memory/1820-173-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2260-176-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1820-177-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a13ff758fc4326eaa44582bc9700aead
SHA1 a4927b4a3b84526c5c42a077ade4652ab308f83f
SHA256 c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588
SHA512 86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d8be0d42e512d922804552250f01eb90
SHA1 cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512 f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

\Windows\SysWOW64\logs.exe

MD5 851f826418a68a324f0aac5495ef4db5
SHA1 08309312661e07877fdd246a355d55fb2cce70e5
SHA256 aef724f31840ba9539a4cb9235dcb2b7bd477cf923fe4f3bbfa6ae5dfd290a37
SHA512 17432d9bf2d2951830edfdcac16d3cd3ea445fa84c2c731f8b2189ca8a0b1191da1e3f1e0ccbaa9575608b415885b9184684b6dd664db8bf856c10745b480d1c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 872656500ddac1ddd91d10aba3a8df96
SHA1 ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256 d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512 e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3a1a83c2ffad464e87a2f9a502b7b9f1
SHA1 4ffa65ecdd0455499c8cd6d05947605340cbf426
SHA256 73ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6
SHA512 8232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6fe56f6715b4c328bc5b2b35cb51c7e1
SHA1 8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3
SHA256 0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be
SHA512 8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a5d4cddfecf34e5391a7a3df62312327
SHA1 04a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA256 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA512 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e427a32326a6a806e7b7b4fdbbe0ed4c
SHA1 b10626953332aeb7c524f2a29f47ca8b0bee38b1
SHA256 b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839
SHA512 6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e2d37af73d5fe4a504db3f8c0d560e3d
SHA1 88c6bf5b485dd9c79283ccb5d2546ffbb95e563d
SHA256 e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008
SHA512 8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b99b0dc7cab4e69d365783a5c4273a83
SHA1 5fcc44aa2631c923e9961266a2e0dbeaaabe84da
SHA256 1fc967a5c8f7859ba0c410978d165085f241195fe4a31d61a127e38c30d435e4
SHA512 495474416f5eccd40829d42f050464903273d564cb862b1bd0657262485e634b5d466363cac085406c6d830f42a2f7b5648818b2efe6db1a90833a4b90a6a14d

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 82fb85e6f9058c36d57abc2350ffee7e
SHA1 f52708d066380d42924513f697ab4ed5492f78b8
SHA256 0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6
SHA512 27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a36f3bf3750851d8732b132fa330bb4
SHA1 1cb36be31f3d7d9439aac14af3d7a27f05a980eb
SHA256 5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9
SHA512 a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646